Approval documentation — UPDM

The Company's Personal Data Processing Policy

1. GENERAL PROVISIONS

The Personal Data Processing Policy (hereinafter referred to as the Policy) is developed in accordance with Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data” (hereinafter referred to as FZ-152).

The present Policy establishes personal data processing procedure and measures to ensure personal data protection in OOO RusHimOpt (hereinafter referred to as the Operator) in order to protect human and civil rights and freedoms in the course of personal data processing including protection of rights to personal privacy, personal and family secret.

The following main terms are used in the Policy:

  • automated personal data processing means personal data processing by means of computer technology;
  • personal data blocking means temporary cessation of personal data processing (except for the cases when processing is required for personal data specification);
  • personal data information system means personal data complex contained in the databases and information technologies and hardware ensuring its processing; personal data anonymization means actions as a result of which it is impossible to determine that personal data belongs to the specific personal data subject without using additional information; personal data processing means any action (operation) or a combination of actions (operations) with personal data performed both with or without using automation means including collection, recording, systematization, accumulation, storage, specification (updating, changing), extraction, use, transfer (including distribution, provision, access), anonymizing, blocking, deleting, destruction of personal data;
  • operator means state agency, municipal authority, legal entity or individual that independently or in cooperation with other persons organizes and/or processes personal data as well as determines the purposes and scope of personal data subject to processing, actions (operations) performed with personal data; personal data means any information referring directly or indirectly to the particular or identified individual (hereinafter referred to as the "personal data subject");
  • personal data provision means actions aimed at personal data disclosing to a certain person or persons;
  • personal data distribution means actions aimed at personal data disclosing to an indefinite range of persons (personal data transfer) or familiarization with the personal data of an unlimited number of persons including personal data publication in the media, placement in information and telecommunication networks or providing access to personal data in any other way;
  • personal data destruction means actions as a result of which it is impossible to restore personal data content in the respective personal data information system and (or) as a result of which personal data tangible media are destroyed; The company shall publish or otherwise provide unrestricted access to the present Personal data processing policy in accordance with Part 2 of Art. 18.1. of FZ-152.

2. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING

2.1. Personal data processing by the Operator shall be carried out on the basis of the following principles:

  • based on law and justice;
  • personal data processing restriction to achieving specific pre-determined and legal purposes;
  • prohibition of personal data processing incompatible with personal data collection purposes;
  • prohibition of combination of databases containing personal data to be processed for the purposes incompatible with each other;
  • processing only the personal data that complies with the purposes of its processing.
  • personal data content and scope compliance with the declared processing purposes;
  • prohibition of processing personal data in excess to the declared purposes of its processing;
  • ensuring personal data accuracy, sufficiency and relevancy in relation to the personal data processing purposes;
  • personal data destruction or anonymizing upon achievement of its processing objectives or in case of absence of further need to achieve such objectives in case of the Operator's impossibility to eliminate the violations committed in the course of peronal data processing unless otherwise provided for by the federal law.

2.2. Conditions of Personal Data Processing

The Operator shall process personal data subject to existence of at least one of the following conditions:

  • personal data processing is carried out upon the personal data subject's consent to process his / her personal data;
  • personal data processing is required for achieving the objectives set forth by the international treaty of the Russian Federation or by the law for exercising and performing the functions, powers and obligations imposed on the Operator by the legislation of the Russian Federation.
  • personal data processing is required for administration of justice or enforcement of a judicial act or an act of another body or official being enforceable in accordance with the legislation of the Russian Federation concerning enforcement proceedings;
  • personal data processing is required for performance of the agreement the party to which or beneficiary or guarantor under which is the personal data subject as well as for conclusion of a contract initiated by the personal data subject or a contract under which the personal data subject is the beneficiary or guarantor;
  • personal data processing is required for exercising of rights and lawful interests of the Operator or third parties or for achievement of socially significant objectives provided this does not infringe rights and freedoms of the personal data subject; − processing of personal data access to which is provided to an unlimited range of persons by the personal data subject or at his / her request (hereinafter referred to as the publicly available personal data);
  • processing of personal data subject to publication or compulsory disclosure in accordance with the federal law.

2.3. Personal Data Confidentiality

Operators and other persons that have obtained access to personal data shall not disclose personal data to third parties as well as shall not distribute personal data without consent of the personal data subject unless otherwise provided for by the federal law.

2.4. Publicly Accessible Personal Data Sources

The Operator can create publicly accessible personal data sources including reference books and address books in order to ensure information support. Subject to written consent of the personal data subject his / her surname, first name, patronymic name, year and place of birth, position,contact phone numbers, email address and other personal data communicated by the personal data subject may be included into publicly accessible personal data sources. Information about the personal data subject shall at any time be excluded from the publicly accessible personal data sources upon request of the personal data subject or by decision of court or other authorized state bodies.

2.5. Special Categories of Personal Data

Processing of special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, state of health or intimate life by the Operator shall be allowed only in the following cases:

  • if the personal data subject has given his /her written consent to processing of his her personal data;
  • the personal data has been made public by the personal data subject;
  • personal data processing is carried out in accordance with the legislation concerning state social are, labour legislation or the legislation of the Russian Federation concerning state-provided pensions and retirement pensions;
  • personal data processing is necessary to protect life, health or other vital interests of the personal data subject or life, health or other vital interests of other persons and it is impossible to obtain consent of the personal data subject;
  • personal data processing is carried out for the purposes of preventative medicine, determination of medical diagnosis, provision of medical and social care services provided that personal data processing is carried out by the person carrying out professional medical activity and obliged to maintain medical confidentiality in accordance with the legislation of the Russian Federation;
  • personal data processing is necessary in order to establish or exercise the rights of the personal data subject or third parties as well as in connection with administration of justice; − personal data processing is carried out in accordance with legislation concerning compulsory types of insurance and insurance legislation.

Processing of special categories of personal data shall be immediately terminated if the reasons for its processing have been eliminated unless otherwise established by the federal law. Processing of personal data concerning criminal convictions may be carried out by the Operator only in cases and in the manner provided for by the federal laws.

2.6. Biometric Personal Data

Information concerning the individual's physiological and biological characteristics from which he/she may be identified (biometric personal data) may be processed by the Operator only subject to written consent of the personal data subject.

2.7. Delegation of Personal Data Processing Functions to Another Person

The Operator shall be entitled to delegate personal data processing functions to another person with consent of the personal data subject unless otherwise provided for by the federal law on the basis of the agreement concluded with such person. The person carrying out personal data processing as instructed by the Operator shall comply with the principles and rules for personal data processing provided for in FZ-152.

2.8. Cross-Border Personal Data Transfer

The Operator shall make sure that the foreign state to the territory of which personal data is to be transferred ensures adequate protection of the personal data subject's rights before commencement of such cross-border personal data transfer. Cross-border personal data transfer to the territories of foreign states that do not ensure adequate protection of the personal data subject's rights may be carried out in the following cases: − in case of availability of the personal data subject's written consent to the cross-border transfer of his/her personal data; − in case of performance of the contract the party to which is the personal data subject.

3. PERSONAL DATA SUBJECT'S RIGHTS

3.1 Personal data subject's consent to process his / her personal data

The personal data subject shall take decision related to his / her personal data provision and shall give consent to processing thereof voluntarily, of his / her own free will and for his / her own benefit. Consent to process personal data may be given by the personal data subject or his / her representative in any form that allows to confirm its receipt unless otherwise provided for by the federal law. The obligation to provide the proof of receipt of the personal data subject's consent to process his / her personal data or the proof of existence of the grounds specified in FZ-152 shall be assigned to the Operator.

3.2 Personal Data Subject's Rights.

The personal data subject shall be entitled to receive information regarding processing of his / her personal data from the Operator if such right is not limited in accordance with federal laws. The personal data subject shall be entitled to require from the Operator to specify, block or destroy his / her personal data if such personal data is incomplete, out-of-date, inaccurate, unlawfully obtained or is not necessary for the declared purpose of processing as well as shall be entitled to take measures to protect his / her rights provided for by the law. Personal data processing for the purpose to promote goods, works, services at the market by making direct contacts with the potential consumer using means of communication as well as for political agitation shall be allowed only upon prior consent of the personal data subject.

Such personal data processing shall be considered as carried out without prior consent of the personal data subject unless the Company proves that such consent has been obtained. The Operator shall upon the personal data subject's request immediately stop processing of his / her personal data for the above mentioned purposes.

It is prohibited to make decisions creating legal consequences for the personal data subject or otherwise influencing his / her rights and lawful interests solely on the basis of automated personal data processing except for the cases provided for by the federal laws or in case of the personal data subject's written consent.

If the personal data subject considers that the Operator is processing his / her personal data not in compliance with the requirements of FZ-152 or is otherwise violating his / her rights and freedoms the personal data subject shall be entitled to submit the complaint in relation to the Operator's actions or omissions to the authorized body for personal data subjects’ rights protection or apply to court.

The personal data subject shall be entitled to protect his / her rights and lawful interests including the right to compensation of damages and (or) moral damage through legal proceedings.

4. PERSONAL DATA SECURITY ENSURING

Security of personal data processed by the Operator shall be ensured by implementation of legal, organizational and technical measures necessary to meet the requirements of federal legislation in the sphere of personal data protection.

In order to prevent unauthorized access to personal data the Operator shall apply the following organizational and technical measures:

  • appointment of officers responsible for organizing personal data processing and protection;
  • restriction of the number of persons having access to personal data;
  • the subjects familiarization with the requirements of federal legislation and regulatory documents of the Operator related to personal data processing and protection;
  • organization of storage, handling and keeping records of media containing personal data;
  • identifying the threats to personal data security in the course of its processing, forming the threats models on the basis thereof;
  • development personal data protection system based on the threats model;
  • verification of availability and efficiency of information security tools use;
  • differentiation of user access to information resources and software and hardware used for information processing;
  • registration and recording of actions of personal data information systems users;
  • use of antivirus tools and personal data protection system recovery tools;
  • use of firewalling, intrusion detection means, security analysis and means of cryptographic information protection if necessary;
  • organization of control of access to the Operator's territory, ensuring security of premises with technical means for personal data processing.